oauth2 protected service to service communication using service account tokens from kubernetes #291

sjvaiz · 2023-05-11T12:24:57Z

sjvaiz
May 11, 2023

I would like to use kubernetes service account tokens (JWTs) to exchange for access_tokens with Ory. Going through the documentation, I can imagine that it is possible to establish trust relationship between Ory and k8s OIDC discovery endpoint. I do not see in the documentation that shows such a use-case, however I do see that you can simply use private/public key pair to validate JWTs.

My questions is, did anyone try using k8s oidc discovery to exchange service account tokens for access_token and/or faced any challenges?

Answered by vinckr

Jul 11, 2023

Hey @sjvaiz

I havent tried this myself and the documentation does not contain specific information about using Kubernetes service account tokens to exchange for access tokens with Ory.

However, Ory does support the use of JWTs for OAuth 2.0 Grants, which allows a client to send a signed JWT token to an OpenID Connect Provider in exchange for an OAuth 2.0 access token read more here.
You can establish a trust relationship using the trustOAuth2JwtGrantIssuer function as shown here:

import { Configuration, OAuth2Api } from "@ory/client"  
  
const ory = new OAuth2Api(  
 new Configuration({  
 basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,  
 accessToken: process.e…

View full answer

vinckr · 2023-07-11T22:26:44Z

vinckr
Jul 11, 2023
Maintainer

Hey @sjvaiz

I havent tried this myself and the documentation does not contain specific information about using Kubernetes service account tokens to exchange for access tokens with Ory.

However, Ory does support the use of JWTs for OAuth 2.0 Grants, which allows a client to send a signed JWT token to an OpenID Connect Provider in exchange for an OAuth 2.0 access token read more here.
You can establish a trust relationship using the trustOAuth2JwtGrantIssuer function as shown here:

import { Configuration, OAuth2Api } from "@ory/client"  
  
const ory = new OAuth2Api(  
 new Configuration({  
 basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,  
 accessToken: process.env.ORY_API_KEY,  
 }),  
)  
  
export async function createTrustRelation(accessToken: string) {  
 const { data } = await ory.trustOAuth2JwtGrantIssuer({  
 trustOAuth2JwtGrantIssuer: {  
 // The "allow_any_subject" indicates that the issuer is allowed to have any principal as the subject of the JWT.  
 allow_any_subject: true,  
  
 // The "subject" identifies the principal that is the subject of the JWT. It must be unset if `allow_any_subject` is true.  
 subject: "some-subject-id",  
  
 // The "expires_at" indicates, when grant will expire, so we will reject assertion from "issuer" targeting "subject".  
 expires_at: "2021-04-23T18:25:43.511Z",  
 
 // The "issuer" identifies the principal that issued the JWT assertion (same as "iss" claim in JWT).  
 issuer: "https://example.org",  
  
 // The public key with which the JWT's signature can be verified (example)  
 jwk: {  
 alg: "RS256",  
 use: "sig",  
 kty: "RSA",  
 e: "AQAB",  
 kid: "d8e91f55-67e0-4e56-a066-6a5f0c2efdf7",

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

oauth2 protected service to service communication using service account tokens from kubernetes #291

{{title}}

Replies: 1 comment

{{title}}

Select a reply

oauth2 protected service to service communication using service account tokens from kubernetes #291

sjvaiz May 11, 2023

Replies: 1 comment

vinckr Jul 11, 2023 Maintainer

sjvaiz
May 11, 2023

vinckr
Jul 11, 2023
Maintainer